Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
581 views
in Technique[技术] by (71.8m points)

firebase - Firestore security rules: request.query.limit not working with compound query

 allow list: if request.query.limit <= 15;

This rule is simply ignored when used with compound query.

firestore().collection('orders').where('customerId', '==', uid)
      .where('orderStatusCode', 'in', [1, 2, 3])
      .limit(100)
      .get()....

Security rule:

  match /orders/{order} {
  allow list: if request.query.limit <= 15;

  allow read: if request.auth.uid == resource.data.customerId;
  allow create: if request.auth != null;
  allow update: if request.auth.uid == resource.data.customerId;
  allow delete: if false;
}
question from:https://stackoverflow.com/questions/65626180/firestore-security-rules-request-query-limit-not-working-with-compound-query

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

Firestore security rules will allow the operation if any of the security rules allow the operation.

In your case, you are allowing read access in the line after the list rule. read is a combination of get and list. get is for document specific query, and list is for query on a collection. Even though the list rule was denied, read rule was passing, so your query was getting data.

You can update your security rule like this for it to work:

match /orders/{order} {
  allow list: if request.query.limit <= 15;

  allow get: if request.auth.uid == resource.data.customerId;
  allow create: if request.auth != null;
  allow update: if request.auth.uid == resource.data.customerId;
  allow delete: if false;
}

Or, if you want to make data available to users where auth.uid == customerId, it would be like this:

match /orders/{order} {
  allow list: if request.query.limit <= 15 
  && request.auth.uid == resource.data.customerId;

  allow get: if request.auth.uid == resource.data.customerId;
  allow create: if request.auth != null;
  allow update: if request.auth.uid == resource.data.customerId;
  allow delete: if false;
}

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...